05-08-2007 05:35 AM - edited 03-11-2019 03:10 AM
When I apply an acl to the DMZ interface I lose the dmz devices connection to the internet? The access-list / access-group I apply works as it should, but internet is gone. When I remove the access-group, internet access comes back. I have tried applying other acl's, nat/global combinations w/no luck. I have added my complete running config for anyone to look at that would be willing to help. I have been self teaching myself this PIX 515e for 3 weeks with help from books, www and friends I think I have part of it figured out.... at least traffic is moving. Any help would be much appreciated.
Shane
Solved! Go to Solution.
05-08-2007 05:36 AM
Because the acl really looks like this
access-list ACLDMZ_IN permit tcp any host 0.0.0.0 eq www
access-list ACLDMZ_IN permit tcp any host 10.10.20.200 eq 8080
access-list ACLDMZ_IN permit tcp any host 10.10.20.190 eq 8080
access-list ACLCMZ_IN deny ip any any
edit: read too quickly, where is your dns server for dmz hosts? If it is outside of DMZ you need to allow that traffic. I would write it like this. (if dns server is inside or outside)
access-list ACLDMZ_IN permit tcp any host 10.10.20.200 eq 8080
access-list ACLDMZ_IN permit tcp any host 10.10.20.190 eq 8080
access-list ACLDMZ_IN permit udp any host
access-list ACLDMZ_IN deny ip any 10.10.0.0 255.255.0.0
access-list ACLDMZ_IN permit tcp any any eq www
access-list ACLCMZ_IN deny ip any any
If you are trying to restrict traffic to the inside, do not put the permit for www traffic first, that would allow www to inside as well and would defeat the purpose of filtering the traffic.
05-08-2007 06:22 AM
Does that make sense? Allow what you want to allow inside to 10.x.x.x, deny everything else inside to 10.x.x.x, then allow everything outside (www, dns etc.).
05-08-2007 06:38 AM
No, the acl with "eq domain" is the same as if it said "eq 53" or port 53, which is dns. The pix just changes the number to the word "domain". It will do the same for other ports as well like tcp 21, as it will say "eq ftp". So these two statements are the same thing
access-list ACLDMZ_IN permit udp any host
access-list ACLDMZ_IN permit udp any host
And yes, you will add another line for your other dns server. Remember, the pix looks at the access-list from the top down and will stop at the first match. That is why this works as it does.
Please rate if these help.
05-08-2007 05:36 AM
Because the acl really looks like this
access-list ACLDMZ_IN permit tcp any host 0.0.0.0 eq www
access-list ACLDMZ_IN permit tcp any host 10.10.20.200 eq 8080
access-list ACLDMZ_IN permit tcp any host 10.10.20.190 eq 8080
access-list ACLCMZ_IN deny ip any any
edit: read too quickly, where is your dns server for dmz hosts? If it is outside of DMZ you need to allow that traffic. I would write it like this. (if dns server is inside or outside)
access-list ACLDMZ_IN permit tcp any host 10.10.20.200 eq 8080
access-list ACLDMZ_IN permit tcp any host 10.10.20.190 eq 8080
access-list ACLDMZ_IN permit udp any host
access-list ACLDMZ_IN deny ip any 10.10.0.0 255.255.0.0
access-list ACLDMZ_IN permit tcp any any eq www
access-list ACLCMZ_IN deny ip any any
If you are trying to restrict traffic to the inside, do not put the permit for www traffic first, that would allow www to inside as well and would defeat the purpose of filtering the traffic.
05-08-2007 05:48 AM
DNS servers reside on outside if (currently this is an internal firewall that we are testing in preparation to put into production). Our in-house dns servers are currently on the "outside" if of the pix in it's current config (but are really our internal domain ctrlrs).
The 0.0.0.0 was an attempt to allow www access from the dmz if w/out blocking the rules needed for the two ip's that require 8080 traffic. It didn't work.
Thanks for responding, I am open to ANY suggestions as all my learnings have come from my own research...thanks in advance!
05-08-2007 05:50 AM
Oh! The rest of your message just came through... I hmay have reponded to quickly...I am reading now...
05-08-2007 06:22 AM
Does that make sense? Allow what you want to allow inside to 10.x.x.x, deny everything else inside to 10.x.x.x, then allow everything outside (www, dns etc.).
05-08-2007 06:33 AM
Most of it does....By the way, that did it! DMZ devices now can access INSIDE devices as well as hit the www. Thanks! Now I need to read up on why those commands worked. If you have time, I have a couple follow-up questions:
The "eq" to domain at the end of this ace..does the pix know it is coming from a domain?
access-list ACLDMZ_IN permit udp any host
Also, I assume I should add ACE's for both dns servers?
Thanks again for your prompt assistance!
Shane
Col, OH
05-08-2007 06:38 AM
No, the acl with "eq domain" is the same as if it said "eq 53" or port 53, which is dns. The pix just changes the number to the word "domain". It will do the same for other ports as well like tcp 21, as it will say "eq ftp". So these two statements are the same thing
access-list ACLDMZ_IN permit udp any host
access-list ACLDMZ_IN permit udp any host
And yes, you will add another line for your other dns server. Remember, the pix looks at the access-list from the top down and will stop at the first match. That is why this works as it does.
Please rate if these help.
05-08-2007 06:46 AM
Oh, that's right... I remember reading that somewhere (my brain is pix mush at this point)..... And yes, I forgot how important the order of the ace's are in an acl. Got it.
Rated you a "5"... would go 10 if I could. Much thanks from pix greenie in Col, Ohio. I'm not done with it though - a few more tests before it goes into prod. You may see more ?'s from me. Again, much obliged.
Shane
05-08-2007 06:49 AM
You could rate my first post a 5 and that would give me 10! haha
glad i could help.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: